Daily Summary
Formbook activity declined 23% to 24 new samples, down from a 7-day average of 31. This marks a moderate decrease, with observed volumes remaining below the typical weekly baseline.
New Samples Detected
JavaScript (.js) leads with 8 samples, followed by executables (.exe) and VBScript-enclosed (.vbe) at 4 each. The presence of one file with a randomized extension (“.32783286”) suggests an attempt to bypass static file-type filters. No significant shift in naming patterns is observed; samples retain typical Formbook naming schemes, often mimicking system files or utilities.
Distribution Methods
Distribution relies heavily on script-based initiators (js, vbe, vbs, ps1 collectively 16 samples) to download or execute the payload. A single .7z archive indicates occasional weaponized compressed attachments. The .exe and .dll samples likely represent the final stage payloads delivered after initial script execution. This pattern aligns with current email-based campaigns using phishing links or attachments with embedded scripts.
Detection Rate
Most current variants retain moderate detection rates on major AV engines, with the .exe and .dll files typically flagged. However, the custom-extension file and some JavaScript samples may evade signature-based detection, as they appear crafted from recent obfuscation templates. AV engines relying on static hashes may miss newer iterations until signatures are updated.
C2 Infrastructure
55 new C2 servers were observed today, a high volume relative to sample count. This suggests adversary testing of fresh infrastructure or rapid churn to evade take-downs. New domains and IPs are distributed broadly, with no distinct geographic concentration; expected ranges include German and Dutch hosting providers common in previous campaigns.
7-Day Trend
Activity remains on a downward trajectory this week, with daily counts consistently below the weekly average. This cooling is likely part of a natural campaign cycle rather than a structural shift.
Security Analysis
The emergence of a non-standard file extension (“.32783286”) and the high ratio of C2 servers to new samples (2.3:1) suggests the operators are stress-testing both delivery and command infrastructure simultaneously. Compare to typical Formbook campaigns, which maintain a lower C2 churn; this could indicate preparation for a larger distribution wave. Actionable recommendation: Monitor outbound connections to recently registered domains on non-standard high ports, flagging any traffic to IPs associated with previous Formbook C2 lists. Update endpoint rules to block execution of script files launched from email attachments and restrict PowerShell execution policy to SignedScripts.